Don’t Leave Holes in Your Office 365 Access Control Strategy

Secure every access point to Microsoft Office 365 emails and data with VMware Workspace ONE.

If your organization is like most, you’re either using Microsoft Office 365 or thinking about an Office 365 implementation. Since the data and email in Office 365 are vital to your business, you’ve probably thought through how to protect access to Office 365 with application access control policies and mobile email management (MEM) tools. You need to ensure, however, that your policies protect all clients with access to Office 365.

Imagine that one of your end users goes to visit family for the holidays. While at her parent’s house, she borrows her father’s laptop to check work emails. Although your IDP requires multi-factor authentication (MFA) for access to Office 365, the user logs into Outlook 2010 using nothing more than a username and password. Outlook downloads her mailbox, she checks her email, and after a few days, she returns home.

All her emails, however, stay on the laptop. That data is out of her control and out of IT’s control, creating data loss risks if the laptop is sold, lost or compromised with malware. How did your user (unwittingly) bypass your conditional access rules, and what can you do to protect your data and email?

In this blog post, we’ll cover how this data leak occurred, and how VMware Workspace ONE allows you to avoid similar Office 365 data losses and security holes.

Applying Access Policies to Office 365 Authentication Methods

To understand why your MFA requirement didn’t apply to the end user in the scenario above, you have to understand that Office 365 supports two ways to log users in: Modern authentication and legacy username/password authentication. If you’re relying on a product that sets policies for just modern authentication—or legacy authentication only—you run the risk of unexpected access to Office 365. Workspace ONE protects both authentication methods with one solution.

Protecting both authentication types is vital for most organizations. Workspace ONE controls access to Office 365 no matter which client app a user chooses with policies based on group, network range, device type or OS and more.

Modern vs. Legacy Authentication

Here’s how to tell the difference Office 365 modern authentication and legacy username/password authentication:

Modern Authentication

If the end user is redirected to an IDP in a browser, it’s modern authentication.

Microsoft modern authentication redirects the end user in a browser from the Office 365 app to an identity provider (IdP), such as Workspace ONE, to authenticate. Modern authentication takes advantage of Microsoft’s Azure Active Directory Authentication Libraries (ADAL). For more details on modern authentication, see Microsoft’s summary here.

This is modern authentication. The user is redirected to Workspace ONE in a browser.

Legacy Authentication

If the end user enters credentials into the client’s UI (and there’s no redirection to an IDP), it’s legacy username/password authentication.

In username/password authentication, the Office 365 client collects a username and password in its own UI (rather than sending the user to an IDP in a browser). Because the user enters their credentials into the client rather than using standard browser single sign-on (SSO), legacy username/password authentication doesn’t support advanced features such as MFA or VMware mobile SSO. Microsoft sometimes calls legacy username/password authentication by a more specific name such as basic authentication or the Microsoft Online Services Sign-In Assistant.

This is legacy username/password authentication. The user enters credentials directly into the client UI—there’s no browser redirect to Workspace ONE or another IDP.

Many identity solutions can only protect access to Office 365 for clients using modern authentication. Workspace ONE protects access to Office 365 without requiring additional products or servers, no matter what client a user chooses.

Use Cases for Controlling Access to Office 365

Modern authentication supports MFA tools (such as VMware Verify), certificate authentication, VMware mobile SSO and other authentication methods of Workspace ONE, organizations have fine-grained control over how they allow access for Office 365 clients using modern authentication.

Legacy username/password clients, as their name implies, support only username and password authentication. Workspace ONE gives organizations the ability to add another authentication factor with powerful MEM tools that decrease risk and IT control without inconveniencing users. For applications beyond mobile email, consider the following approaches:

Allow legacy username/password access to Office 365 for mobile email only. In this approach, your organization could block legacy username/password access to Office 365 apps and data for all apps and add an exception for native mobile email clients that use Exchange ActiveSync. Your organization can also choose to limit mobile email access to the extra-secure VMware Boxer app. This approach works well with the MEM features in Workspace ONE. Many organizations choose this path because it empowers workers with secure access to mobile email without opening the door to old versions of Office or third-party apps like Thunderbird.

Allow legacy username/password access to Office 365 only under more secure conditions. Because legacy username/password clients such as Thunderbird or older versions of Office don’t support MFA, some organizations want to limit these clients to only connect to Office 365 under more secure circumstances. For example, you might only allow Thunderbird on your corporate network to ensure users are not downloading their mailboxes on multiple computers. This approach can reduce the risk of data loss.

Allow legacy username/password access only for specific users or groups. Organizations may want to limit which users can connect to Office 365. For example, IT could block retail employees from accessing mobile email while they are offsite.

Block all access to Office 365 for clients that don’t support MFA or other secure authentication. Some organizations want to ensure all users access Office 365 with MFA or mobile SSO. Because modern authentication clients support these methods but many legacy username/password clients do not, these organizations can block username/password client apps. Users will still be able to access Office 365 through Office 2016 apps (or Office 2013 apps, if they are configured correctly). This approach works well with using Workspace ONE MEM to ensure that Boxer and mobile email apps use a second factor to authenticate into Office 365.

Workspace ONE & Office 365

Workspace ONE makes securing and deploying Office 365 easier, with industry-leading enterprise mobility management (EMM) to keep your devices and users safe. Learn more about how Workspace ONE protects Office 365, while providing end users with consumer-level ease of use. Visit vmware.com/products/workspace-one, or contact your VMware account representative for more details.